14 DAY TRIAL // The development team behind OpenCart, a popular open source online shopping cart solution, is analyzing details regarding fourteen vulnerabilities in the e-commerce software. The flaws were discovered as part of an educational vulnerability research project.
Earlier this week we published an article informing the public about the existence of fourteen unpatched vulnerabilities in OpenCart. We also shared the opinion of a security researcher involved in their discovery, who advised webmasters to stop using the product. This is an update to that article, providing more background information and announcing new developments.
During the last few days, we have been in contact with both Daniel Kerr, the lead developer behind the OpenCart project and Eduardo Vela, the security researcher who reported the security issues on his blog. Mr. Kerr challenged the existence of any vulnerabilities and asked for our article to be removed. He also stressed that he never refused to fix any bug disclosed to him by Mr. Vela.
In light of those claims we contacted Eduardo Vela and asked him for more information about the vulnerabilities. The security researcher was kind enough to grant us access to the issue tracker containing the technical details about them. Therefore, we can confirm that there were four high risk ones, which could lead complete application/server compromise. One of them was a CSRF flaw, which Mr. Kerr said was already fixed since before Vela's report.
There were two vulnerabilities of medium severity, because they required special conditions to be exploited and eight low risk ones, that could result in information leak. The security researcher told us that while these could not be exploited to cause damage on their own, the info they reveal could be useful to a hacker when planning an attack.
According to Vela, the vulnerabilities were discovered in OpenCart 1.4.7, the most current version at that time. However he was able to confirm the presence of at least one of the high risk ones on the official OpenCart demo installation, which runs the latest 1.4.8.
We were also told that the vulnerabilities were found as part of an educational effort led by a researcher known as WHK, who tries to teach vulnerability research to Spanish-speaking students. In order to learn, the project members perform free code inspections for open source sofware.
Mr. Kerr's statement, which we published in our previous article, is part of his final response to a series of emails informing him of the security review WHK's group was going to perform. Eduardo Vela participated in the project as planner and coordinator and was responsible for contacting developers, vulnerability trackers and CERTs. He was therefore able to give us access to the entire communication.
After we exchanged several emails with the OpenCart lead developer, he agreed to review the "so called vulnerabilities" that made the subject of our previous article. Eduardo Vela later confirmed to us that he reestablished contact with Daniel Kerr and granted him access to the issue tracker.
Regardless of who was to blame for the communication process broking down in the first place, we are glad that some potentially dangerous issues will be addressed and we appreciate Mr. Kerr's commitment to his community.
UPDATE (21st of July 2010): The OpenCart development team has finished assessing the vulnerabilities. Read more about their findings here.
You can follow the editor on Twitter @lconstantin